This Week in WebKit — June 06 - June 12, 2026

AddOriginAccessAllowListEntry and friends started life as a TestRunner SPI for letting layout tests bypass CORS, and they sat on NetworkConnectionToWebProcess with no [EnabledBy=...] annotation and no caller-side check that sourceOrigin belonged to the sender. A compromised WebContent could synthesize the IPC, inject any (sourceOrigin, destinationHost) tuple, and lift the same-origin policy — and because the allowlist lives process-globally inside the NetworkProcess, the lift applies transitively to every other WebContent sharing the network process. The fix gates all three messages behind AllowTestOnlyOriginAccessAllowListIPC, which is false in production.

When JSString::swapToAtomString swaps a string's underlying StringImpl for its atomized equivalent, the old String lands on Heap::m_possiblyAccessedStringsFromConcurrentThreads to keep the buffer alive while concurrent GC threads might still be reading it. Heap::finalize cleared that list at the end of every GC. Meanwhile a GCOwnedDataScope on the C++ stack holds a StringView into the old buffer — and a re-entrant JS callback (Symbol.toPrimitive, toString) invoked between buffer capture and consumption can trigger the swap and a full GC inside the same stack frame. The finalize then drops the only retention, freeing the bytes the stack still reads from.